526 error on SSL FULL STRICT (ORIGINAL CERTIFICATION )

I contacted tech support, they disabled the certificate that was signed by my server and temporarily disable the protection against DDOS, so that nothing conflicts, can you look again? Error 526 is still there.

@fritex Sorry to mention, the posting system won’t let me send a message, says to wait 12 hours, had to mention it.

I am sorry to say, but I am afraid I cannot because I cannot find your domain name being shared here as it wasn’t even posted before :confused:

Again, if you cannot get a valid Let’s Encrypt / AutoSSL certificate for your domain name and want Full (Strict) SSL, options are:

  1. Purchase an SSL certificate which covers your naked (root) domain + www + any other sub-domain (if you are using it)
  2. Use Cloudflare Origin CA certificate

rainford-rp.ru

I use Original and Edge Certificates from Cloudflare

Great, but did you also added the Cloudfare Root CA?

Here:

Source:

I can still see the same error:

Maybe your hosting doesn’t allow you this.

There was one particular topic lately, where we spent almost a week and more than 70 posts, or even more, where user used Cloudflare Origin CA certificate, but GoDaddy didn’t supported it, and was throwing all the times no matter what SSL option user selects, always 525 error → similar error, but the hosting didn’t accepted Cloudflare Origin CA certificate.

If your site is working fine with Full, then leave it on Full. Otherwise, I am afraid you should try to either setup it on some custom domain, or to use sub-domain and different hosting provider, or use some other hosting provider for your main domain to try out.

Forcing Full (Strict) when it’s not working, I am sorry but I do not understand why would we.

1 Like

Hmm, pretty weird, I even turned off L7 protection, as maybe they could conflict with the claud, self-signed certificate from the server side also turned off, maybe the trouble is in my server configuration? Cloudfare Root CA needs to be used where? in the client request confirmation?(ssl_client_certificate(nginx)), I could be wrong.

Come on, we had these discussions a million times. Advising people to disable their site’s security really is not a good idea.

There’s a reason we have articles on that.

1 Like

No, just put it into the /etc/ssl where all other are located.

Maybe your hosting doesn’t have it and therefore throws this error too.

Otherwise, maybe … may I ask is your hosting provider offering ModSecurity or Imunify360 to you? :thinking:

And we are going in a loop of guessings I am afraid.

2 Likes

Oh… I don’t know at all( maybe?

Try to ask them if so, maybe that’s the issue here.

1 Like

Supported

I tried a complete reinstallation of the operating system, put a clean web server there and re-issue the cloud certificates, it had no effect(

curl -svo /dev/null --resolve rainford-rp.ru:443:x.x.x.x https://rainford-rp.ru/
I tried to run the command on the documentation, to check if the server has a self-signed certificate, the answer was different.

* Expire in 0 ms for 6 (transfer 0x5629e1597c10)
* Added rainford-rp.ru:443:x.x.x.x to DNS cache
* Hostname rainford-rp.ru was found in DNS cache
*   Trying x.x.x.x...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x5629e1597c10)
* Connected to rainford-rp.ru (x.x.x.x) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [102 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [1206 bytes data]
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
} [2 bytes data]
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0

@fritex Please forgive me for mentioning this, but I really need your help, I’ve been racking my brain all day for three days now. and the 12 o’clock system won’t let me write again.

@MoreHelp

I am not aware of this error, but seems like you are missing the Cloudflare Root CA certificate at your origin host/server:

What version of openssl are you using? Is it updated? Have you got the ca-certificates package installed?

If you followed the steps to create an Cloudflare Origin certificate:

And saved the provided output as “cert.pem” and “key.pem”, therefore placed them somehwere at your server and pointed to the corret path of them in your vhost file of Nginx for your website by defining the ssl_certificate and ssl_certificate_key.

After that, if you downloaded and placed Cloudflare Root CA in /etc/ssl/:

Should work fine if your server supports 443 (HTTPS) and if your Website is configured to listen on port 443 ssl in Nginx, with the Full (Strict) SSL.

Otherwise, again, I am not sure why you cannot generate (due to the rate limit for your domain in previous 24 hours) a valid SSL certificate (using Let’s Encrypt / ACME / Certbot) when you are using “Pause Cloudflare” or temporary switch all the DNS records to :grey: (DNS-only)? :thinking:

  • maybe using “staging” certificate, if so …

I can give you my free will and only ask you in a PM to provide me contact information so we could share information related to your hosting, so I could re-check and do this for you, else you might have to troubleshoot more so with someone experienced or pay someone to do this for you in case if I do not know what could be the reason :frowning:

  • I usually don’t do this via DMs …

Currently rainford-rp.ru does not have an A record and not responding to me when I check.

This SSL / HTTPS thing in the field of security isn’t so easy to setup at first glance.

1 Like

@fritex Is that normal? Checked the certificates through the site for the domain, they usually indicate Cloudflare, in my case not.

I checked and see it too.
I believe that’s okay as far as Cloudflare uses different CA’s to issue Universal/ACM SSL certificates for domains using Cloudflare. :thinking:

I emailed you my email, the problem still persists(